Self-hosted sandboxes and MCP tunnels shipped at Code with Claude London - the MCP spec RC went stateless - KPMG put Claude in front of 276,000 people

The story this week is the agent runtime perimeter moving. At Code with Claude London on May 19, Anthropic shipped self-hosted sandboxes in public beta and MCP tunnels in research preview: the tool-execution layer of a Claude Managed Agent can now run inside your network on your own infrastructure (or via Cloudflare, Daytona, Modal, or Vercel) while the agent loop itself - orchestration, context management, error recovery - keeps running on Anthropic's servers. Files and repositories no longer leave the customer perimeter.

Two days later, on May 21, the next MCP specification release candidate locked. The Mcp-Session-Id header is gone, the protocol layer is fully stateless, and any MCP request can now land on any server instance - sticky routing and shared session stores are no longer protocol requirements. The RC also lands the Extensions framework, Tasks, MCP Apps, authorization hardening, and a formal deprecation policy. The final spec publishes 2026-07-28; SDK maintainers have a 10-week window to validate.

Different timelines, same direction: the architectural baggage that made agent infrastructure feel borrowed is getting torn down. The enterprise side moved with it - KPMG put Claude in front of 276,000 people via the new Digital Gateway alliance, also announced May 19.

From us

• Why typed doesn't use 5-hour windows like Claude Pro - typed's monthly quota with optional top-ups vs. Claude Pro's rolling 5-hour reset windows; why the rolling window punishes long async sessions and what monthly billing changes for agentic workflows

Anthropic this week

• Self-hosted sandboxes (public beta) and MCP tunnels (research preview) - shipped at Code with Claude London on May 19. Tool execution runs inside your perimeter on your own infra or with Cloudflare/Daytona/Modal/Vercel; MCP tunnels open a single outbound encrypted connection to internal MCP servers with no inbound firewall rules required
• Project Glasswing: an initial update - Claude Security moves to public beta with new cyber verification tools for eligible teams: scanning codebases, triaging vulnerabilities, and generating fixes

MCP this week

• The 2026-07-28 MCP specification release candidate - locked May 21. Stateless protocol core, Mcp-Session-Id header removed, Extensions framework, Tasks, MCP Apps, auth hardening, formal deprecation policy. 10-week SDK validation window; Tier 1 SDKs expected to ship support within it

Claude Code this week

• v2.1.150 - May 23: internal infrastructure improvements, no user-facing changes
• v2.1.149 - May 23: /usage gets a per-category breakdown of usage limits; /diff detail view adds keyboard navigation (arrows, vim keys); GitHub Flavored Markdown task list checkboxes now render properly
• v2.1.148 - May 22: fixed Bash tool returning exit code 127 on every command for affected users
• v2.1.147 - May 22: pinned background sessions stay active when idle and restart to apply updates; /simplify renamed to /code-review with effort-level support and PR-comment posting; auto-updater error reporting and retry logic improved

The broader week

• KPMG Digital Gateway Powered by Claude - alliance announced May 19. Claude lands inside KPMG's platform with access for its 276,000+ global workforce; covers audit, tax, advisory, and internal workflows
• Anthropic's Code with Claude showed off coding's future, whether you like it or not - MIT Technology Review on the SF + London events and what the agent stack now looks like end to end